ui: fix missing htmlEncodes

username can include some special characters, so we have to escape them backport from pve6 Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2020-05-12 12:11:08 +02:00 · 2020-05-12 12:11:08 +02:00 · 74f2df2f5f
commit 74f2df2f5f
parent e5bdba1d9c
9 changed files with 11 additions and 5 deletions
--- a/www/manager6/Workspace.js
+++ b/www/manager6/Workspace.js
@ -170,7 +170,7 @@ Ext.define('PVE.StdWorkspace', {
 	var ui = me.query('#userinfo')[0];

 	if (Proxmox.UserName) {
-	    var msg =  Ext.String.format(gettext("You are logged in as {0}"), "'" + Proxmox.UserName + "'");
+	    var msg =  Ext.String.format(gettext("You are logged in as {0}"), "'" + Ext.String.htmlEncode(Proxmox.UserName) + "'");
 	    ui.update('<div class="x-unselectable" style="white-space:nowrap;">' + msg + '</div>');
 	} else {
 	    ui.update('');
--- a/www/manager6/dc/ACLView.js
+++ b/www/manager6/dc/ACLView.js
@ -111,7 +111,7 @@ Ext.define('PVE.dc.ACLView', {
 		return '@' + ugid;
 	    }

-	    return ugid;
+	    return Ext.String.htmlEncode(ugid);
 	};

 	var columns = [
--- a/www/manager6/dc/Log.js
+++ b/www/manager6/dc/Log.js
@ -68,6 +68,7 @@ Ext.define('PVE.dc.Log', {
 		{ 
 		    header: gettext("User name"), 
 		    dataIndex: 'user',
+		    renderer: Ext.String.htmlEncode,
 		    width: 150
 		},
 		{ 
@ -79,6 +80,7 @@ Ext.define('PVE.dc.Log', {
 		{ 
 		    header: gettext("Message"), 
 		    dataIndex: 'msg',
+		    renderer: Ext.String.htmlEncode,
 		    flex: 1	  
 		}
 	    ],
--- a/www/manager6/dc/TFAEdit.js
+++ b/www/manager6/dc/TFAEdit.js
@ -368,6 +368,7 @@ Ext.define('PVE.window.TFAEdit', {
 				{
 				    xtype: 'displayfield',
 				    fieldLabel: gettext('User name'),
+				    renderer: Ext.String.htmlEncode,
 				    cbind: {
 					value: '{userid}'
 				    }
--- a/www/manager6/dc/Tasks.js
+++ b/www/manager6/dc/Tasks.js
@ -101,6 +101,7 @@ Ext.define('PVE.dc.Tasks', {
 		{
 		    header: gettext("User name"),
 		    dataIndex: 'user',
+		    renderer: Ext.String.htmlEncode,
 		    width: 150
 		},
 		{
--- a/www/manager6/dc/UserEdit.js
+++ b/www/manager6/dc/UserEdit.js
@ -72,6 +72,7 @@ Ext.define('PVE.dc.UserEdit', {
                name: 'userid',
                fieldLabel: gettext('User name'),
                value: me.userid,
+		renderer: Ext.String.htmlEncode,
                allowBlank: false,
                submitValue: me.isCreate ? true : false
            },
--- a/www/manager6/dc/UserView.js
+++ b/www/manager6/dc/UserView.js
@ -110,11 +110,11 @@ Ext.define('PVE.dc.UserView', {
        ];

 	var render_username = function(userid) {
-	    return userid.match(/^(.+)(@[^@]+)$/)[1];
+	    return Ext.String.htmlEncode(userid.match(/^(.+)(@[^@]+)$/)[1]);
 	};

 	var render_realm = function(userid) {
-	    return userid.match(/@([^@]+)$/)[1];
+	    return Ext.String.htmlEncode(userid.match(/@([^@]+)$/)[1]);
 	};

 	Ext.apply(me, {
--- a/www/manager6/form/UserSelector.js
+++ b/www/manager6/form/UserSelector.js
@ -29,6 +29,7 @@ Ext.define('PVE.form.UserSelector', {
 			header: gettext('User'),
 			sortable: true,
 			dataIndex: 'userid',
+			renderer: Ext.String.htmlEncode,
 			flex: 1
 		    },
 		    {
--- a/www/manager6/window/Settings.js
+++ b/www/manager6/window/Settings.js
@ -36,7 +36,7 @@ Ext.define('PVE.window.Settings', {
 	    var sp = Ext.state.Manager.getProvider();

 	    var username = sp.get('login-username') || Proxmox.Utils.noneText;
-	    me.lookupReference('savedUserName').setValue(username);
+	    me.lookupReference('savedUserName').setValue(Ext.String.htmlEncode(username));

 	    var settings = ['fontSize', 'fontFamily', 'letterSpacing', 'lineHeight'];
 	    settings.forEach(function(setting) {